更新得物newSign加密逻辑

2024-11-25 16:26:35 +08:00 · 2023-10-21 11:30:20 +08:00 · 2023-10-21 11:30:20 +08:00 · 4cf4fabfcb
commit 4cf4fabfcb
parent f13abb31b5
4 changed files with 150 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -43,6 +43,7 @@
 | 项目 | 难度 |
 | ---- | ---- |
 | 豆瓣 | 简单 |
+| 某物 | 中等 |

 ### 豆瓣

@ -55,4 +56,20 @@
 3. hook加密函数，分析加密流程
 4. 用python改写，实现发包

-总结算法： 豆瓣的_sig是由请求方式以及url的path和时间戳以&相连，进行一次hmacsha1，然后将结果转化为base64的格式
+总结算法： 豆瓣的_sig是由请求方式以及url的path和时间戳以&相连，进行一次hmacsha1，然后将结果转化为base64的格式
+
+### 某物
+
+第二个案例首先更新第一部分，newSign的获取。得物前几个版本比较简单，但是新版本有些内容不太一样
+
+第一，newSign放到so层添加，并且是VMP的so文件，在这里我们不分析这个so文件，在全局搜索其他部分，找到加密位置
+
+分析过程:
+1. 首先抓包分析，需要分析参数: newSign
+2. 全局搜索其他关键字
+3. hook函数，然后去so层分析
+4. 用python改写
+
+总结: 这个算法是将params添加四个额外的内容，排序，然后用aes加密之后在加密md5得到newSign
+
+之后更新搜索接口的加密以及解密...
--- a/得物/hook.js
+++ b/得物/hook.js
@ -0,0 +1,38 @@
+// hook 添加params试图定位添加newsign的地方
+Java.perform(function () {
+    // 导入类
+    var RequestUtils = Java.use("com.shizhuang.duapp.common.helper.net.ParamsBuilder");
+
+    // 找到类中的方法进行hook
+    RequestUtils.addParams.overload('java.lang.String', 'java.lang.Object').implementation = function(str, str1){
+        console.log(str, str1);
+        showStacks()
+        var res = this.addParams(str, str1);
+        return res;
+    }
+})
+// 定位加密点
+Java.perform(function () {
+    // 导入类
+    var RequestUtils = Java.use("com.duapp.aesjni.AESEncrypt");
+
+    // 找到类中的方法进行hook
+    RequestUtils.encode.implementation = function (obj, str) {
+    console.log('=================================================')
+       console.log('obj', obj);
+       console.log('str', str);
+       console.log('=================================================')
+        var res = this.encode(obj, str);
+        console.log(res)
+        console.log('=================================================')
+        showStacks()
+        console.log('=================================================')
+        return res;
+    }
+})
+// 显示调用栈
+function showStacks() {
+    Java.perform(function () {
+        console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
+    });
+}
--- a/得物/newSign.py
+++ b/得物/newSign.py
@ -0,0 +1,52 @@
+import base64
+import time
+
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+import hashlib
+
+
+def get_newSign(search_dict: dict) -> tuple[str, str]:
+    new_dict = {
+        'uuid': '',
+        'timestamp': str(int(time.time() * 1000)),
+        'loginToken': '',
+        'platform': 'android'
+    }
+    new_dict.update(search_dict)
+    str_to_encode = ''.join(
+        [f'{k}{v}' for k, v in sorted(new_dict.items(), key=lambda item: item[0])]
+    )
+    newSign = encrypt(str_to_encode)
+    md5_hash = hashlib.md5()
+    md5_hash.update(newSign.encode())
+    return md5_hash.hexdigest(), new_dict['timestamp']
+
+
+def encrypt(plaintext):
+    cipher = AES.new("d245a0ba8d678a61".encode('utf-8'), AES.MODE_ECB)
+    padded_plaintext = pad(plaintext.encode('utf-8'), AES.block_size)
+    ciphertext = cipher.encrypt(padded_plaintext)
+    ciphertext = str(base64.encodebytes(ciphertext), 'utf-8').replace('\n', '')
+    return ciphertext
+
+
+if __name__ == '__main__':
+    params = {
+        "lastId": "",
+        "limit": "20",
+        "deliveryProjectId": "0",
+        "negativeFeedbackUids": "",
+        "negativeFeedbackCids": "",
+        "pushChannel": "",
+        "pushContentId": "",
+        "lastExposureCids": "",
+        "abV518Autoplay": "0",
+        "ab528feedsCardNewCommodity": "1",
+        "deviceNetwork": "WIFI",
+        "abVIcon": "2",
+        "abCoverReverse": "0",
+    }
+    print(get_newSign(params))
+
+
--- a/得物/测试主页推荐.py
+++ b/得物/测试主页推荐.py
@ -0,0 +1,42 @@
+import requests
+from newSign import get_newSign
+
+
+headers = {
+    "User-Agent": "duapp/5.28.0(android;9)",
+    "Connection": "Keep-Alive",
+    "Accept-Encoding": "gzip",
+    "cookieToken": "",
+    "webua": "Mozilla/5.0 (Linux; Android 9; SM-G977N Build/LMY48Z; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/92.0.4515.131 Mobile Safari/537.36/duapp/5.28.0(android;9)",
+    "duplatform": "android",
+    "duv": "5.28.0",
+    "duloginToken": "",
+    "shumeiid": "",
+    "X-Auth-Token": "",
+}
+cookies = {
+    "HWWAFSESTIME": ""
+}
+url = "https://app.dewu.com/sns-rec/v1/recommend/all/feed"
+params = {
+    "lastId": "",
+    "limit": "20",
+    "deliveryProjectId": "0",
+    "negativeFeedbackUids": "",
+    "negativeFeedbackCids": "",
+    "pushChannel": "",
+    "pushContentId": "",
+    "lastExposureCids": "",
+    "abV518Autoplay": "0",
+    "ab528feedsCardNewCommodity": "1",
+    "deviceNetwork": "WIFI",
+    "abVIcon": "2",
+    "abCoverReverse": "0",
+}
+sign_time = get_newSign(params)
+params['newSign'] = sign_time[0]
+headers['timestamp'] = sign_time[1]
+response = requests.get(url, headers=headers, cookies=cookies, params=params)
+
+print(response.json())
+